Simple way to put AWS Lambda app behind SAML authentication [closed]

Question

Closed. This question is seeking recommendations for software libraries, tutorials, tools, books, or other off-site resources. It does not meet Stack Overflow guidelines. It is not currently accepting answers.

We don’t allow questions seeking recommendations for software libraries, tutorials, tools, books, or other off-site resources. You can edit the question so it can be answered with facts and citations.

Closed last year.

Improve this question

I have a simple AWS Lambda app. I need to front it with SSO, our IdP provider is Okta. The app is rarely used by a large amount of employees. What would be the easiest way to do that without additional expenses and InfoSec complications (Amazon Cognito, ...)?

Doug Naphas · Accepted Answer · 2024-07-01 04:11:24Z

1

+50

Note: You have in parentheses (Amazon Cog[n]ito, ...). I assume you are supplying Amazon Cognito as something you are considering, not something you want to avoid.

I think a relatively easy and cost-effective way would be to:

Put your AWS Lambda app behind an AWS API Gateway REST API. Use Lambda proxy integration if you want to have the Lambda app handle all paths.
Set up a Cognito User Pool with Okta as a SAML identity provider (https://repost.aws/knowledge-center/cognito-okta-saml-identity-provider).
Set up a Cognito authorizer for your API Gateway API.

There will be some cost associated with the user pool and API, but I think this will be small compared to the complexity you would have to assume by handling all the SAML flows in your own code.

answered Jul 1, 2024 at 4:11

Doug Naphas

5603 silver badges10 bronze badges

Sign up to request clarification or add additional context in comments.

3 Comments

NetworkMeister Over a year ago

Thank you Doug! I did what you've said, now I have a problem. I use API Gateway REST API, but I serve a browser app, not an API. When I integrated Cognito, Cognito authorizer redirects to the app with ?code= in the URL, however, that fails with app throwing 401. It seems App expects Authorization header, not the code argument?

Doug Naphas Over a year ago

I'm not immediately sure how to fix that. I notice that these docs (docs.aws.amazon.com/apigateway/latest/developerguide/…) say "For Token source, enter Authorization as the header name to pass the identity or access token that's returned by Amazon Cognito when a user signs in successfully." Is your token source set to Authorization? Also, when it redirects to ?code=..., what's the path? Is it the same path as your app? When I've used Cognito in the past, I've had to do some other work at the path I get redirected to, but that may not apply here.

NetworkMeister Over a year ago

These docs assume you have REST API and control over client code, so you can take token and put it in Authorization header of the next request. In my case, I have a web app, so I cannot control the browser and browsers request headers.

Collectives™ on Stack Overflow

Simple way to put AWS Lambda app behind SAML authentication [closed]

1 Answer 1

3 Comments

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

3 Comments

Related